Mac OS X hit with another serious security issue

When it rains, it pours. Yet another "highly critical" hole has been found in Apple Computer Inc.'s Mac OS X operating system, which will allow remote system access by getting someone to visit a malicious Web site.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Lixlpixel has reported a vulnerability dealing with how basic Internet elements are addressed in the OS' help facility that allow arbitrary local scripts to be executed on a user's machine. It is also possible to place files in a known location on a system by asking users to download a ".dmg" disk image file. A default browser option in Explorer and Safari will mean a single user click is enough to drive the whole process.

The combination of the two holes, tested and confirmed by security experts Secunia, can therefore allow system access to be achieved "very simply" according to Secunia CTO Thomas Kristensen. The holes affect Safari 1.x and Explorer 5.x.

The solution is to change browser options and rename the help URI handler. More details are available on Secunia's site.

In the past fortnight, controversy has reigned over security vulnerabilities in the Mac OS, with three security companies accusing Apple of downplaying significant security holes -- twice -- and leaving their customers at risk of compromise.

However, many of those fiercely loyal users have pointed the lack of viruses and hacking tools that security holes in Windows tend to generate as evidence that there is no real security issue. The appearance of a malicious file last week that purported to be a Word 2004 for Mac demo but in fact wiped out a user's Home folder, put that assumption under question.

However, Apple argued that the file was not a virus since it was not self-propagating and has continued to dismiss security concerns. It is this behavior, and the company's failure to make its customers aware of such issues, that has led some security companies to despair of what they see as foolish complacency. One of them, eEye Digital Security Inc. said: "It is our sincere hope that the vendor will make an earnest effort to increase the maturity of its security response capabilities, so that researchers will be encouraged to continue to work with them amicably on future security issues. Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software."

While constant problems with Microsoft's software -- in particular Windows -- continue to have a far greater impact than holes in Macs, Microsoft's more open approach to security holes was only learnt through a misguided effort in the past to keep security issues quiet, a lesson that Apple could well heed.